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Tim  Levin 
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Abstract.  A  wide  range  of  security  services  may  be  available  to  applications  in  a  heterogeneous 
computer  network  environment  Resource  Management  Systems  (RMSs)  responsible  for  assigning 
computing  and  network  resources  to  tasks  need  to  know  the  resource-utilization  costs  associated 
with  the  various  network  security  services.  In  order  to  understand  the  range  of  security  services 
an  RMS  needs  to  manage,  a  preliminary  security  service  taxonomy  is  defined.  The  taxonomy  is 
used  a  s  framework  for  a  preliminary  method  for  defining  the  costs  associated  with  network  secu¬ 
rity  services. 


1  Introduction 

Several  efforts  are  underway  to  develop  middleware  resource  management  systems  (RMSs)  that 
will  logically  combine  a  wide  range  of  network  resources  to  construct  a  “virtual”  computational 
system  [2]  [5]  [10].  Geographically  distributed,  heterogeneous  resources  are  expected  to  be  used 
to  support  applications  with  a  wide  range  of  computation  needs.  Large  parallelized  computations 
found  in  fields  such  as  astrophysics  [11],  aerodynamics,  meteorology,  etc.  will  require  allocation 
of  perhaps  hundreds  of  individual  processes.  Multimedia  applications,  such  as  voice  and  video 
will  impose  requirements  for  low  jitter,  minimal  packet  losses,  and  isochronal  data  rates.  Adaptive 
applications  will  need  to  adjust  to  changing  conditions.  The  RMS  in  such  an  environment  is 
responsible  for:  efficiently  scheduling  multiple  simultaneous  tasks  onto  specific  network 
resources;  supporting  user  requirements  for  performance  and  security  (viz,  QoS);  and  providing 
support  for  tasks  to  adapt  to  changing  resource  availability. 

Users  or  applications  submit  tasks  to  the  RMS,  which  schedules  the  tasks  for  execution.  As  part 
of  the  process  of  estimating  efficient  task  schedules,  the  RMS  must  balance  resource-usage  costs 
against  user  benefits.  Specifically,  there  might  not  exist  sufficient  resources  to  maximize  the  bene¬ 
fits  to  all  users.  Thus  the  RMS  must  quantify  the  costs  associated  with  tihe  entire  range  of  network 
services.  These  include  bandwidth,  task  execution  speed,  latency,  jitter,  etc.  Costing  of  security 
services  in  this  context  has  received  little  attention.  The  challenge  is  to  associate  costs  with  the 
entire  range  of  network  security  services. 

The  purpose  of  this  paper  is  to  present  a  preliminary  taxonomy  of  security  services,  and  to  show 
how  this  taxonomy  can  be  used  as  the  foundation  of  a  system  for  supplying  security-costing  infor- 


1 .  This  research  was  supported,  in  part,  by  the  DARPA/ITO  Quorum  Program. 
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mation  to  an  RMS.  Section  2  presents  our  preliminary  taxonomy.  Section  3  is  a  sketch  for  how  the 
structure  of  the  taxonomy  might  be  used  to  define  quality  of  security  service  requests  to  an  RMS. 
Section  4  examines  how  the  cost  of  using  various  elements  of  the  taxonomy  might  be  presented  to 
an  RMS;  and  Section  4  is  a  summary  conclusion. 

2  Taxonomy  of  Security  Services 

Users  and  applications  on  the  network  are  presented  with  various  security  services  (e.g.,  authen¬ 
ticity,  confidentiality,  integrity,  non-repudiation,  etc.).  A  security  service  may  be  used  to  imple¬ 
ment  one  or  more  security  policies  (organizational  or  automated  [16]),  which  are  in  turn 
implemented  by  one  or  more  security  mechanisms.  Some  mechanisms  provide  fixed  services,  and 
some  are  variant.^  Additionally,  the  RMS  may  make  choices  for  the  user  regarding  variant  secu¬ 
rity  mechanisms,  as  part  of  its  schedule  formulation  or  adaptive  re-scheduling  (see  Section  4 ). 

Each  security  mechanism  is  associated  with  a  service  area,  which  indicates  the  general  topograph¬ 
ical  component  of  the  network  in  which  the  security  or  protection  is  effective.  The  taxonomy 
identifies  three  service  areas:  end  system  (e.g.,  a  client  or  server  system),  intermediate  node  (e.g., 
routers,  switches),  and  network  connection  (i.e.,  the  “wire”  connecting  various  systems  and 
nodes).  Security  mechanisms  associated  with  end  systems  and  intermediate  nodes  protect 
resources  (e.g.,  data  and  programs)  that  are  associated  with  a  node  or  system;  for  network  connec¬ 
tions,  we  are  concerned  with  mechanisms  for  protecting  information  that  is  physically  in  transit. 

Table  1  provides  our  preliminary  taxonomy.  It  lists  security  services,  example  mechanisms  and 
associated  service  areas.  The  service  areas  are  designated:  “IM”  for  Intermediate  Node,  “W”  for 
wire,  and  “ES”  for  End  System.  The  Total  Subnet  (TS)  service  area  identifies  mechanisms  that 
cannot  be  assigned  exclusively  to  either  of  IN,  W,  or  ES. 

2.1  Rationale  for  the  Taxonomy 

In  constructing  a  taxonomy  one  wishes  it  to  be  both  useful  and  complete.  Since  a  taxonomy  is 
simply  an  organizational  artifice,  it  must  have  reason  to  exist,  which  is  its  usefulness.  Addition¬ 
ally,  the  taxonomy  fails  if  it  does  not  account  for  all  of  the  elements  of  the  classes  that  it  attempts 
to  organize. 

We  have  found  this  taxonomy  to  be  a  useful  tool  for  characterizing  the  security  services  and 
requirements  that  a  RMS  might  encounter  in  the  network  context.  As  such,  it  is  useful  for  organiz¬ 
ing  a  quality  of  security  service  request  (see  Section  3  )  and  for  presenting  costs  to  a  Resource 
Management  System  (See  Section  4 ). 

As  for  completeness,  we  assert  preliminarily  that  the  top  level  is  complete.  Our  taxonomy 
includes  the  traditional  security  categories  found  in  the  literature,  e.g.,  Pfleeger  [12]  (confidential¬ 
ity/integrity/availability),  Ford  [4]  (authentication/access  control/confidentiality/integrity/non¬ 
repudiation)  Stallings  [15](confidentiality/integrity/availability/authentication/nonrepudiation/ 
access  control)  (Note  that  in  the  latter  two  examples  we  find  “access  control”  to  be  redundant  with 
availability,  confidentiality  and  integrity).  Empirically,  all  of  the  example  mechanisms  that  we 
have  examined  so  far  have  been  accounted  for  in  our  top  level  list  of  security  services. 


1 .  Variant  mechanisms  offer  the  user  various  “degrees,”  or  strengths,  of  security  (viz.,  over  and  above  some  minimum 
requirement).  See  [9]  for  details. 
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Table  1:  Preliminary  Security  Service  Taxonomy 


SECURITY  SERVICE 


SERVICE 

AREA 


EXAMPLE  SECURITY  MECHANISMS 


Data  Confidentiality 


IN 


W 


ES 


OS  access  controls,  Cryptographic  credentials 


40-bit  DES,  128-bit  Blowfish 


OS  access  controls,  Cryptographic  credentials 


Traffic  Flow  Confidentiality 


IN 


W 


ES 


Active  network  nodes  monitor  traffic  and  inject  dummy  packets  in 
response  to  certain  triggering  conditions. 


communications  uses  a  Virtual  Private  Network  with  encapsulated 
packets 


Traffic  padding  up  to  a  defined  maximum  is  provided.  Beyond  that 
maximum,  traffic  flow  confidentiality  cannot  be  guaranteed 


Data  Integrity 


IN 


W 


ES 


OS  access  controls.  Cryptographic  credentials 


cryptographic  chaining,  integrity  sequence  numbers,  and  digital  sig¬ 
natures 


OS  access  controls.  Cryptographic  credentials 


Authenticity 


IN 


W 


ES 


Active  network  supports  intemode  authentication  based  on  digital 
signatures. 


data  origin  authentication,  i.e.  IP  address,  digital  signatures 


OS  identification  and  authentication  mechanism;  use  of  Digital  Sig¬ 
nature  Standard;  use  of  trusted  certificate  authority 


Non-Repudiation 


IN 


ES 


Active  network  nodes  report  transactions  to  secure  logging  facility. 


digital  notary  and  non-repudiation  services 


Guarantee  of  Service, 
Availability 


IN 


W 


ES 


Active  network  nodes  reserve  bandwidth  for  network  administrative 
traffic.  Priority-based  scheduling  for  application  traffic. 


bandwidth  reservation  protocol. 


time-slicing  scheduler,  FIFO  scheduler  with  preemptive  interrupts. 


Audit 

and  Intrusion  Detection 


IN 


TS 


auditing  of  network  control  functions 


rule-based  and  profile-based  network  intrusion  detection,  intrusion 
correlation  engine  to  identify  intrusions  across  a  group  of  subnets 


Boundary  Control 


TS 


firewall,  proxy  server,  guard 


The  second  level  (viz.,  end  system,  intermediate  node,  and  network  connection)  is  a  simple 
enough  partitioning  of  the  generic  network  topology  that  we  claim  it  to  be  complete  through 
inspection.  The  list  of  mechanisms  in  Table  1  is  not  intended  to  be  exhaustive,  but  provides  a 
framework  for  illustrating  the  taxonomy. 
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3  Quality  of  Security  Service  Requests 

The  security  service  taxonomy  may  be  useful  in  understanding  how  security  is  involved  in  a  Qual¬ 
ity  of  Service  request.  Security  in  the  Quality  of  Service  context  has  traditionally  implied  the  gen¬ 
eral  notions  of  one  or  more  of  the  following:  confidentiality,  authenticity,  access  control,  and 
integrity  [3]  [13].  However,  there  is  no  reason  why  a  Quality  of  Security  Service  request  could  not 
include  all  of  the  elements  from  “Security  Service”  and  “Service  Area”  in  Table  1.^  In  other 
words,  we  envision  a  security  vector  in  a  fully-functional  Quality  of  Service  request  to  include 
levels  of  service  for  the  range  of  security  services  and  mechanisms  that  we  have  identified.  Thus, 
a  generic  QoS  request  would  look  something  like  the  following  in  a  BNF-style  notation: 

QoS  Request  ::=  task_specifier,  security_vector,  performance_vector,  other_factors 

And  a  security  vector  would  appear  as  follows: 

security_vectoi;  ::=  security_component  [,  security_component]* 
security_component  :=  security_service,  service_area,  level 
security_service  ::=  <services  from  Table  1> 
service_area  ::=  [ES  I  IN  I W] 

level  ::=  <mechanism-dependent  security-level  indicator> 

A  component  may  be  included  in  the  security  vector  for  each  variant  security  mechanism,  i.e.,  for 
each  mechanism  in  the  network  environment  that  provides  to  the  user  a  choice  of  security  “level.” 
For  example,  a  partial  security  vector  might  look  like  this: 

data  confidentiality,  W,  crypto-high  (e.g.,  128-bit  keys), 

authenticity,  W,  medium  (e.g.,  public-key  signature), 

nonrepudiation,  ES,  high-assurance  (e.g..  Common  Criteria  rating  EAL7  [1]) 

Here,  for  the  sake  of  exposition,  the  “level”  of  each  security  component  is  somewhat  arbitrarily 
assigned.  Establishment  of  nomenclature  and  metrics  for  these  levels  is  the  subject  of  ongoing 
investigations  [7]  [18].  Translation  mechanisms  [6]  may  be  utilized  in  presenting  a  high-level 
Quality  of  Security  Service  interface  to  the  user,  while  managing  parameters  (such  as  a  suitable 
translation  of  “level”)  to  the  underlying  detailed  security  mechanisms. 

4  Costing  of  Security  Services 

To  motivate  the  need  for  security  costing  information,  a  specific  RMS  scheduling  mechanism  is 
described.  We  will  show  how  this  work  requires  detailed  security  costing  information. 

Resource  management  systems  are  responsible  for  efficiently  scheduling  multiple  tasks  onto  com¬ 
puting  and  network  resources  in  a  distributed,  heterogeneous  computing  environment.  RMSs  sup¬ 
port  Quality  of  Service  by  scheduling  to  meet  user  requirements  for  performance  and  security,  and 
by  providing  support  for  tasks  to  adapt  to  changing  network  resource  availability. 

An  RMS  schedules  tasks  for  execution  in  the  network  in  response  to  requests  from  users  or  appli- 


1.  Given  that  the  over-arching  network  security  policy  demands  some  minimum  levels  of  security  service,  selections 
for  QoSS  may  be  provided  to  users  to  any  degree  of  security  over  and  above  those  minimum  levels.  A  system  can 
always  provide  more  security,  at  the  user's  discretion,  than  the  minimum  required  by  the  base  security  policy, 
while  still  complying  with  that  policy.  Finally,  in  order  to  meet  performance  or  other  objectives,  a  user  may  indi¬ 
cate  a  maximum  security  service  to  be  provided  by  the  system. 
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cations.  The  task  may  be  submitted  with  a  QoS  “specification,”  which  articulates  the  user’s 
desired  quality  of  service,  including  security  services.  An  RMS  currently  under  investigation,  the 
Management  System  for  Heterogeneous  Networks  [5],  has  as  its  primary  goal  determination  of 
the  best  scheduling  support  for  many  diverse  applications,  each  with  its  own  quality  of  service 
requirements,  in  a  distributed,  heterogeneous  environment.  MSHN  preserves  compatibility  with 
existing  security  policies,  applications  and  operating  systems  through  its  middle- ware  role.  This  is 
in  contrast  to  network  operating  systems,  which  strictly  control  the  access  to  and  utilization  of 
resources,  and  usually  require  modifications  to  the  OS,  application,  or  security  policy. 

The  MSHN  RMS  constructs  task  schedules  based  on  a  network  infrastructure  model.  This  model 
includes  the  resource  and  security  requirements  of  current  and  waiting  tasks,  and  the  security  and 
availability  of  network,  computing  and  storage  resources.  The  resulting  schedules  are  provided  to 
task  handlers  that  run  the  tasks  and  provide  feedback  to  the  scheduler.  If  the  model  is  inaccurate 
(e.g.,  security  or  resource  availability  changes),  the  RMS  adjusts  its  model  and  potentially 
reschedules  the  tasks  (see  Figure  1  on  page  6). 

RMS  schedule  construction  consists  of  several  logical  phases,  or  steps: 

1.  In  the  reduction  phase,  the  scheduler  finds  the  realizable  resource  assignments  for  the  task  by 
discarding  the  possible  assignments  that  will  not  work  according  to  the  model.  In  addition  to 
resource  availability  matching  (e.g.,  required  service  type  vs.  resource  type),  security  plays  a 
key  role.  Both  the  task  and  the  resources  are  characterized  by  security  requirements.  Those  of 
the  task  must  be  met  by  a  subset  of  the  resources.  Those  of  the  resources  constrain  the  task. 
The  task’s  security  characteristics  are  compared  to  the  minimum  security  requirements  of  the 
various  resources  and  infrastructure  components  to  determine  where  the  task  can  run.  Addi¬ 
tionally,  the  task’s  minimum  and  maximum  security  requirements  (e.g.,  reflecting  the  user’s 
QoS  security  specification)  are  compared  to  the  services  available  from  the  resources  and  infra¬ 
structure.  The  result  is  a  set  of  resource-assignment  “solutions,”  where  each  solution  identifies 
various  resources  sufficient  to  run  the  task. 

2.  The  resource  usage  costs,  including  costs  for  accessing  security  services,  are  derived  for  the 
various  solutions. 

3.  In  the  optimization  phase,  an  “optimum”  solution  is  heuristically  selected.  The  criteria  for 
selection  is  to  (attempt  to)  minimize  costs  and  to  maximize  the  QoS  benefit  to  the  users  ( [7] 
[9]  [17]).  I.e.,  using  realizable  resources  from  the  reduction  phase,  the  scheduler  attempts  to 
create  a  schedule  to  meet  QoS  requirements  for  all  of  its  tasks.  In  order  to  support  as  many 
tasks  as  possible,  the  scheduler  must  meet  the  typical  task  scheduling  constraints  while  mini¬ 
mizing  resource  usage  costs. 

After  step  3,  some  RMSs  may  make  various  network  resource  reservations.  Finally,  the  task  is 
submitted  for  execution. 

If  a  particular  security  mechanism  is  “fixed”  (i.e.,  always  applied)  then  the  overhead  for  the  mech¬ 
anism  is  part  of  the  normal  cost  of  mnning  the  task  and  the  normal  costing  mechanism  used  by  the 
RMS  will  suffice.  For  variant  security  mechanisms,  however,  the  security  overhead  will  vary, 
depending  on  the  user's  QoS  request.  Some  task  invocations  will  utilize  little,  if  any,  of  the  variant 
mechanism  and  other  invocations  may  utilize  the  mechanism  at  an  increased  level.  Also,  the 
scheduler  may  adapt  security  support,  while  maintaining  any  minimum  system  security  policy 
requirements,  in  order  to  schedule  the  tasks  most  efficiently.  The  RMS  must  calculate  how  much 
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FIGURE  1.  Resource  Scheduler,  the  task  handler  is  responsible  for  realizing  the  scheduler’s 
execution  plan  and  provides  feedback  to  the  scheduler  so  that  it  can  dynamically  adapt  the 
schedule  to  evolving  resource  conditions. 


the  use  of  the  security  mechanism  will  increase  the  cost  of  the  task,  according  to  the  specific  secu¬ 
rity  “level”  requested.  For  this  reason,  the  RMS  must  have  access  to  detailed  information  about 
the  resource  cost  (as  well  as  the  task’s  requested  QoS)  for  each  variant  security  mechanism.  Near- 
optimal  solution  selection  depends  on  the  accurate  estimation  of  per-task,  per-resource,  cost  of 
security. 

The  RMS’s  costing  information  may  be  table-driven  or  algorithm-based.  The  cost  measurement 
scale  may  vary  for  each  mechanism  and  resource.  A  costing  example  follows. 

4.1  Costing  Example 

The  security  overhead  for  several  security  mechanisms  is  shown  in  Table  2. 

The  data  confidentiality  mechanism  is  a  40-bit  DBS  encryption  mechanism  implemented  in  the 
link  layer.  For  message  non-repudiation,  a  commercial  non-repudiation  service  mechanism  is 
used.  The  cost  of  using  this  mechanism  is  a  per-message  exchange  of  n  bytes  with  the  remote  non¬ 
repudiation  server,  and  c  clocks  per  message-byte  to  create  the  crypto-checksum  for  the  message. 
The  intrusion  detection  mechanism  is  shown  to  use  a  fixed  overhead  of  the  network  bandwidth 
(e.g.,  for  sampling  and  probing)  along  with  constant  processor  and  storage  overhead. 
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Table  2:  Security  Cost  Examples 


Security  Service 

Ser¬ 

vice 

Area 

Mechanism 

Cost  Measure 

Data  Confidentiality 

Wire 

link  layer  40-bit  DES 

Processor  clocks  per  byte  [14] 

Message  Non- 
Repudiation 

ES 

remote  non-repudia¬ 
tion  service 

2n  bytes  per  message  network  band¬ 
width,  plus  c  clocks  per  byte 

Intrusion  Detection 

TS 

experimental  ID  sys¬ 
tem 

n  Mbytes  per  second  of  overall  band¬ 
width,  plus  m  instructions  per  second, 
plus  b  bytes  per  second  storage 

Costing  information  is  provided  to  the  scheduler,  which  will  use  these  data  and  its  current  system 
model  to  select  services,  including  those  for  security,  that  maximize  the  benefit  for  the  collection 
of  tasks  it  is  serving  [8]. 


5  Discussion  and  Conclusion 

A  security  taxonomy  has  been  presented  for  describing  functional  requirements  of  network  secu¬ 
rity  policies.  It  has  been  shown  that  this  taxonomy  can  be  used  for  different  purposes,  including  a 
costing  framework  for  network  security  mechanisms.  Continued  effort  is  required  to  determine 
the  best  units  for  the  cost  measures.  For  example,  all  measure  could  be  unitless  and  normalized 
within  a  common  framework.  This  approach  would  require  a  careful  description  of  the  semantics 
of  the  units  with  respect  to  each  security  service.  Alternatively,  units  can  he  retained  and  the  com¬ 
ponents  combined  into  a  “vector”  to  be  used  by  the  RMS  scheduler. 
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